Digital media content can easily and efficiently be delivered through any type of suitable network, although typically such digital content has been delivered through cable and/or satellite networks as broadcast digital content. However, in order for digital content to be fully effectively delivered to users, the basis for secure delivery needs to be provided. In particular, if payment is required, the digital content should be secure against theft, such that only authorized users can retrieve and display the digital content. At the same time, the content also should be delivered in an efficient manner, for example by enabling the secure delivery to be performed efficiently, without hindering or otherwise reducing the performance of the delivery mechanism itself, such as broadcast and/or multicast, for example.
One attempt to provide such effective mechanisms is described in U.S. Pat. Nos. 5,282,249 and 5,481,609, both to Cohen et al., which are hereby incorporated by reference as if fully set forth herein. The disclosed system enables a signal containing media content to be broadcast widely, yet only to be played back or otherwise displayed by authorized users. This signal could contain a television program for example. The signal is scrambled, such that the authorized users are able to unscramble the signal and play back or otherwise display the media content only with the proper security device, such as a smart card for example. Thus, widely received media content is still protected from access by unauthorized users.
Scrambled television data streams described in the Cohen et al patents comprise both scrambled data representing television signals and coded control messages, also known as ECMs (Entitlement Control Messages). The ECMs of Cohen et al comprise, in a coded form, data necessary for generating a control word (CW) which may be used to descramble the scrambled data representing television signals. An ECM is also termed a control word packet or CWP.
Data necessary for generating a control word is known in the background art to take many different forms and may include, in general, at least any of the following: a control word; an encrypted control word packet which is intended to be decrypted before use; and a seed to a generating function such as, for example, a one-way function which generates the control word upon input of the seed. Throughout the present specification and claims the terms “control word generating information” and “CW generating information” are used interchangeably to designate data necessary for generating a control word in any appropriate form, as described above.
Another attempted solution is described in published European Patent Application No. EP 0858184 and in corresponding U.S. Pat. No. 6,178,242, which disclose a digital recording protection system and which are hereby incorporated by reference as if fully set forth herein. The disclosed system enables the digital content to be sent in a digitally scrambled format, such that the digital content cannot be read and/or displayed without a key. The key is obtained from a control message, which is only sent to authorized users. Preferably, the key is obtained from coded information contained within the Entitlement Control Message, or ECM, for generating a control word associated with the ECM. Thus, only authorized users are able to correctly read and/or display the digital content.
In addition, the system and method described in European Patent Application No. EP 0858184 enable the authorized user to record and playback or otherwise display the digital content, while preventing the user from producing and distributing multiple playable copies of the digital content to other, non-authorized users. Therefore, the authorized user is able to fully use and enjoy the digital content, while the content itself is still protected from unauthorized use.
As described in European Patent Application No. EP 0858184, and as shown in background art FIG. 1 taken from this Application, such a system includes a media device 100, such as a television set, for playing the digital content, such as a television program for example. Media device 100 is connected to an integrated receiver-decoder (IRD) 110, for receiving and decoding the digitally scrambled digital content. The system also features a removable security element 120, such as a smart card for example, for providing control words for unscrambling, or otherwise rendering into a clear format, the digitally scrambled digital content by IRD 110. In addition, the system features a digital VCR 130 for communicating with media device 100 and IRD 110 Digital VCR 130 is able to record the digital content for later playback and/or display by media device 100.
IRD 110 receives digitally scrambled digital content which features a plurality of ECMs, each of which is associated with, and is typically followed by, a digitally scrambled digital data segment, containing the actual digital content. Each ECM includes coded information which can be used to generate a control word for unscrambling the associated digitally scrambled digital data segment. Typically, removable security element 120 generates the control word. IRD 110 is then able to unscramble the digitally scrambled digital content, for example for being played by media device 100.
Background art FIG. 2, also taken from European Patent Application No. EP 0858184, is a flow diagram illustrating the production of the digitally scrambled digital content. As shown, the digitally scrambled digital content is produced as an SDDS (digitally scrambled digital data stream) 140, featuring a plurality of ECMs such as an nth ECM 145, and a plurality of associated SDSEGs such as an nth SDSEG (digitally scrambled digital data segment) 150 which is associated with nth ECM 145. IRD 110 of FIG. 1, in cooperation with removable security element 120, is able to use SDDS 140 in order to form a recording SDDS 165. Recording SDDS 165 is produced with the addition of a TECM (transformed ECM) key, which is permanently associated with the system of FIG. 1, even if removable security element 120 is changed, replaced or exchanged, for example. This TECM key is used to make a plurality of TECMs, shown as nth TECM 175, from the control words of the ECMs. Thus, a system which did not feature the correct TECM key could not unscramble the recording SDDS 165 for playing back or otherwise displaying the digital content, while the authorized user is always able to play back or otherwise display the recorded digital content as long as the TECM key is available.
All of these background art references describe mechanisms for the secure delivery of content which are quite useful for such networks as cable and/or satellite networks. However, these references are less useful for packet-based networks, such as the Internet for example, as well as for other types of IP networks. Packet-based networks are typically not dedicated networks for the delivery of particular types of digital media content. Certainly, many different types of content are delivered through the Internet. Furthermore, the Internet is an inherently open, insecure conduit for digital content, as it is widely accessible. The general accessibility of the Internet is also quite useful, since digital media content could be delivered to many different users, internationally, easily and at relatively low cost. Unfortunately, the above-referenced background art references do not teach or suggest a mechanism for secure delivery of digital media content through a packet-based network, particularly for selected, targeted digital media content.
Furthermore, encryption for media content which is transmitted according to such formats and standards as MPEG (Motion Picture Expert Group) is handled at the PID level, such that only 13 bits of information are provided, and such that decryption and re-encryption of the data would be required when transmitted across networks. Such a small amount of information is not sufficient for both encrypting the digital media content and for identifying those devices which are permitted to decrypt and access the content. The further requirement for encryption/decryption when crossing networks is also a disadvantage, since encryption of data which is transmitted according to IP protocols provides an “end-to-end” solution, such that the encrypted data is transmitted in its encrypted format to the end device or client. By contrast, PID is a data link protocol only, and as such, any encrypted data which is transmitted must be decrypted and re-encrypted at each segment of the transmission path, such that the encrypted data cannot be transmitted directly to the end device or client in its encrypted format.
Currently, security for the transmission of content over packet-based networks is handled through one-to-one key exchange mechanisms, in which a central server sends a key individually to each end user computer. Clearly, sending such a key separately to each such computer is inefficient, as it requires extensive bandwidth. Furthermore, the management of such keys is also difficult, although a number of attempted solutions have been proposed.
For example, IPSEC (Internet security framework) was initially developed as a framework for unicast protocols, which was also intended for use for multicast transmission as an additional feature (but which was not specifically designed for multicast transmissions). However, some of the elements that can be useful in a unicast environment become problematic when extended to multicast situations. A case in point is key based security systems and their required infrastructure.
There are two main areas for classic key management in a multicast environment: initializing a multicast group with a common key and rekeying (or updating) the multicast group. For example, public key systems require a mechanism for obtaining the public keys necessary. A server and request model per session is notably insecure, e.g. imposter, man-in-the-middle, etc. If a client-server model is to be used, then third party authentication and certification is also necessary, for example according to the X.509 standard. This standard allows for certification hierarchy, and traversal of trusted paths; however, it is a slow and traffic heavy distribution method.
Cryptographic techniques have been proposed in order to increase the security of key distribution, by encrypting the keys before they are sent. Unfortunately, a basic problem with using cryptographic techniques for key distribution is that each user must be authenticated to receive a key.
In general, standard group key management schemes establish and manage a common key for all members of a group. These management schemes are used for encryption standards and group authentication. A particular problem in this area is related to key revocation methods, as these models tend to work with largely static key possession, since updating with the distribution methods available tends to be bandwidth expensive and time consuming. Examples of key management protocols are described with regard to United Kingdom Patent No. GB 2353682 and U.S. patent application Ser. No. 09/502,867, both of which are hereby incorporated by reference as if fully set forth herein.
One example of a significant Group Key Management proposal is the GKMP protocol, which uses symmetric keys for all members of the group. This mechanism features a dedicated Group Controller (GC) whose responsibility is managing the group keys. The GC generates group keys in a joint operation with a selected group member. It then communicates with each member separately, validating permissions and sending it a group key, which is encrypted using a shared key (between that member and the GC). This method has very obvious and severe scaling difficulties.
The Scalable Multicast Key Distribution protocol uses Core-Based Tree routing protocol and provides a secure join to a group tree in a scalable method. In such a tree, the routers know the identities of their tree neighbors, and starting from the core which serves as a GC (for generating group session keys and key distribution keys) and working outwards, each router is delegated the ability to authenticate joining members and provide them with the group key. This method is scalable, however it is tied to a specific routing protocol, and combines routing with security, such that each router must be fully trusted since it has the same keys as the GC.
In MKMP (Multicast Key Management Protocol), the initial Group Key Manager (GKM) delegates key distribution authority dynamically. The GKM generates a group key and then sends a multicast message soliciting members to whom it can delegate the distribution authority for the rest of the group members. A message containing keys and access lists is sent to and decrypted by those solicited members, who will then operate as GKMs in their own right. This method allows for a dynamic adaptable on-line group topology. Since MKMP uses a single key for the total group it avoids multiple (hop-by-hop) decryption/re-encryption of payload.
Lolus deals with scalability issues by using a “secure distribution tree”, wherein the multicast group is divided into a hierarchical set of subgroups. There is a Group Security Controller (GSC) at the top level and Group Security Intermediaries (GSIs) for managing the subgroups. Each subgroup has its own sub-key, chosen by the GSI. The GSI knows the keys to the subgroup and the next higher group and translates messages between the levels. This models suffers from built in latency, during decryption and re-encryption and has difficulties dealing with untrusted GSIs.
In general, GKMP systems which rely on a single group controller still have difficulty scaling to large systems and are burdened by the ‘single point of failure’ attribute. Single point of failure in this instance also reflects in the security realm. Where, in some of the models above, more than one GC is used, the compromise of one such GC usually means a compromise of the other GCs as well. Furthermore, all of these protocols suffer from drawbacks in the area of compromise recovery and/or revocations of membership.
Various methods have been discussed in the literature in order to improve group key management systems, for example by using groups of members as controllers and cluster architectures. Hardjono, et al (“Secure IP Multicast: Problem areas, Framework, and Building Blocks”, Internet Research Task Force, draft-irtf-smug-framework-01.txt September 2000; for other references, see the list at the end of this section) suggest a further extension of the Lolus tree distribution model, and other extensions/proposed solutions have also been suggested.
In ‘Key management for Multicast: Issues and Architecture’ (see full reference below), a hierarchical tree approach is proposed in order limit the number of transmissions (key exchanges) and storage (of keys) required. Although more efficient than other variations, the basic key distribution principles are still enforced and are still subject to the same arguments previously cited against standard key distribution models.
The above problems become even more complex with regard to key revocation. In order to prevent new group members from accessing older data or leaving members from accessing new data, a group controller has to change the multicast group key whenever membership in the group changes. Adding a new member either from a central GC or from one of the distributed models is fairly straight forward and efficient, i.e. using a one to one unicast model. However revoking membership rights in the standard group key protocols becomes very problematic, because the leaving member already has the group key.
The approach taken by many key management protocols (GKMPA, SMKD, MKMP) to remove members is to generate a new group key, and to send it independently to each of the remaining group members, usually using secret keys which are shared between each of the members and the GC. In this scenario, a new multicast group is created. But the scaling problems here are significant, as are the timing issues, i.e. how to make the new key available in time to access the new data, and how to manage cases where it does not. In particular, the group is not operational during the recovery process once the old key has been declared to be invalid, such that recovery/revocation processes are inefficient and may even prevent the legitimate members from receiving data and/or other services. Timing issues are less significant for the initial creation of the group, since members may be selected and may receive the key(s) well in advance of the actual operation of the group.
The alternatives discussed above where groups are divided into various sub-groups, be they trees, hierarchical trees, clusters, etc allow for better scaling by simply requiring changes within the affected subgroup. It does become more complex when one of the local controllers for a group becomes untrusted, since replacement keys must be handled within a complex structure, and between different levels of influence.
Various other mechanisms are defined in the literature to overcome these problems, including using sets and subsets of keys distributed amongst the group members, multiple keys distributed in such a fashion that each member cannot compute a new key value on its own, but rather requires active participation of the other members, etc. None of these mechanisms overcome the previously described problems which are inherent to such key distribution mechanisms.